1 | //FIXME Not checked on threadsafety yet; after checking please remove this line
|
---|
2 | /*
|
---|
3 | SHA-1 in C
|
---|
4 | By Steve Reid <sreid@sea-to-sky.net>
|
---|
5 | 100% Public Domain
|
---|
6 |
|
---|
7 | -----------------
|
---|
8 | Modified 7/98
|
---|
9 | By James H. Brown <jbrown@burgoyne.com>
|
---|
10 | Still 100% Public Domain
|
---|
11 |
|
---|
12 | Corrected a problem which generated improper hash values on 16 bit machines
|
---|
13 | Routine SHA1Update changed from
|
---|
14 | void SHA1Update(SHA_CTX* context, unsigned char* data, unsigned int
|
---|
15 | len)
|
---|
16 | to
|
---|
17 | void SHA1Update(SHA_CTX* context, unsigned char* data, unsigned
|
---|
18 | long len)
|
---|
19 |
|
---|
20 | The 'len' parameter was declared an int which works fine on 32 bit machines.
|
---|
21 | However, on 16 bit machines an int is too small for the shifts being done
|
---|
22 | against
|
---|
23 | it. This caused the hash function to generate incorrect values if len was
|
---|
24 | greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update().
|
---|
25 |
|
---|
26 | Since the file IO in main() reads 16K at a time, any file 8K or larger would
|
---|
27 | be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million
|
---|
28 | "a"s).
|
---|
29 |
|
---|
30 | I also changed the declaration of variables i & j in SHA1Update to
|
---|
31 | unsigned long from unsigned int for the same reason.
|
---|
32 |
|
---|
33 | These changes should make no difference to any 32 bit implementations since
|
---|
34 | an
|
---|
35 | int and a long are the same size in those environments.
|
---|
36 |
|
---|
37 | --
|
---|
38 | I also corrected a few compiler warnings generated by Borland C.
|
---|
39 | 1. Added #include <process.h> for exit() prototype
|
---|
40 | 2. Removed unused variable 'j' in SHA1Final
|
---|
41 | 3. Changed exit(0) to return(0) at end of main.
|
---|
42 |
|
---|
43 | ALL changes I made can be located by searching for comments containing 'JHB'
|
---|
44 | -----------------
|
---|
45 | Modified 8/98
|
---|
46 | By Steve Reid <sreid@sea-to-sky.net>
|
---|
47 | Still 100% public domain
|
---|
48 |
|
---|
49 | 1- Removed #include <process.h> and used return() instead of exit()
|
---|
50 | 2- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall)
|
---|
51 | 3- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net
|
---|
52 |
|
---|
53 | -----------------
|
---|
54 | Modified 4/01
|
---|
55 | By Saul Kravitz <Saul.Kravitz@celera.com>
|
---|
56 | Still 100% PD
|
---|
57 | Modified to run on Compaq Alpha hardware.
|
---|
58 |
|
---|
59 | -----------------
|
---|
60 | Modified 07/2002
|
---|
61 | By Ralph Giles <giles@ghostscript.com>
|
---|
62 | Still 100% public domain
|
---|
63 | modified for use with stdint types, autoconf
|
---|
64 | code cleanup, removed attribution comments
|
---|
65 | switched SHA1Final() argument order for consistency
|
---|
66 | use SHA1_ prefix for public api
|
---|
67 | move public api to sha1.h
|
---|
68 | */
|
---|
69 |
|
---|
70 | /*
|
---|
71 | Test Vectors (from FIPS PUB 180-1)
|
---|
72 | "abc"
|
---|
73 | A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
|
---|
74 | "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
|
---|
75 | 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
|
---|
76 | A million repetitions of "a"
|
---|
77 | 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
|
---|
78 | */
|
---|
79 |
|
---|
80 | /* #define SHA1HANDSOFF */
|
---|
81 |
|
---|
82 | #ifdef HAVE_CONFIG_H
|
---|
83 | #include "config.h"
|
---|
84 | #endif
|
---|
85 |
|
---|
86 | #include <stdio.h>
|
---|
87 | #include <string.h>
|
---|
88 |
|
---|
89 | #include "sha1.h"
|
---|
90 |
|
---|
91 | #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
|
---|
92 |
|
---|
93 | /* blk0() and blk() perform the initial expand. */
|
---|
94 | /* I got the idea of expanding during the round function from SSLeay */
|
---|
95 | /* FIXME: can we do this in an endian-proof way? */
|
---|
96 | #if __BYTE_ORDER == __BIG_ENDIAN
|
---|
97 | #define blk0(i) block->l[i]
|
---|
98 | #else
|
---|
99 | #define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
|
---|
100 | |(rol(block->l[i],8)&0x00FF00FF))
|
---|
101 | #endif
|
---|
102 | #define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
|
---|
103 | ^block->l[(i+2)&15]^block->l[i&15],1))
|
---|
104 |
|
---|
105 | /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
|
---|
106 | #define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
|
---|
107 | #define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
|
---|
108 | #define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
|
---|
109 | #define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
|
---|
110 | #define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
|
---|
111 |
|
---|
112 |
|
---|
113 | #ifdef VERBOSE /* SAK */
|
---|
114 | void SHAPrintContext(SHA_CTX *context, char *msg){
|
---|
115 | printf("%s (%d,%d) %x %x %x %x %x\n",
|
---|
116 | msg,
|
---|
117 | context->count[0], context->count[1],
|
---|
118 | context->state[0],
|
---|
119 | context->state[1],
|
---|
120 | context->state[2],
|
---|
121 | context->state[3],
|
---|
122 | context->state[4]);
|
---|
123 | }
|
---|
124 | #endif /* VERBOSE */
|
---|
125 |
|
---|
126 | /* Hash a single 512-bit block. This is the core of the algorithm. */
|
---|
127 | void SHA1_Transform(uint32_t state[5], const uint8_t buffer[64])
|
---|
128 | {
|
---|
129 | uint32_t a, b, c, d, e;
|
---|
130 | typedef union {
|
---|
131 | uint8_t c[64];
|
---|
132 | uint32_t l[16];
|
---|
133 | } CHAR64LONG16;
|
---|
134 | CHAR64LONG16* block;
|
---|
135 |
|
---|
136 | #ifdef SHA1HANDSOFF
|
---|
137 | static uint8_t workspace[64];
|
---|
138 | block = (CHAR64LONG16*)workspace;
|
---|
139 | memcpy(block, buffer, 64);
|
---|
140 | #else
|
---|
141 | block = (CHAR64LONG16*)buffer;
|
---|
142 | #endif
|
---|
143 |
|
---|
144 | /* Copy context->state[] to working vars */
|
---|
145 | a = state[0];
|
---|
146 | b = state[1];
|
---|
147 | c = state[2];
|
---|
148 | d = state[3];
|
---|
149 | e = state[4];
|
---|
150 |
|
---|
151 | /* 4 rounds of 20 operations each. Loop unrolled. */
|
---|
152 | R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
|
---|
153 | R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
|
---|
154 | R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
|
---|
155 | R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
|
---|
156 | R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
|
---|
157 | R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
|
---|
158 | R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
|
---|
159 | R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
|
---|
160 | R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
|
---|
161 | R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
|
---|
162 | R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
|
---|
163 | R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
|
---|
164 | R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
|
---|
165 | R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
|
---|
166 | R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
|
---|
167 | R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
|
---|
168 | R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
|
---|
169 | R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
|
---|
170 | R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
|
---|
171 | R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
|
---|
172 |
|
---|
173 | /* Add the working vars back into context.state[] */
|
---|
174 | state[0] += a;
|
---|
175 | state[1] += b;
|
---|
176 | state[2] += c;
|
---|
177 | state[3] += d;
|
---|
178 | state[4] += e;
|
---|
179 |
|
---|
180 | /* Wipe variables */
|
---|
181 | a = b = c = d = e = 0;
|
---|
182 | }
|
---|
183 |
|
---|
184 |
|
---|
185 | /* SHA1Init - Initialize new context */
|
---|
186 | void SHA1_Init(SHA_CTX* context)
|
---|
187 | {
|
---|
188 | /* SHA1 initialization constants */
|
---|
189 | context->state[0] = 0x67452301;
|
---|
190 | context->state[1] = 0xEFCDAB89;
|
---|
191 | context->state[2] = 0x98BADCFE;
|
---|
192 | context->state[3] = 0x10325476;
|
---|
193 | context->state[4] = 0xC3D2E1F0;
|
---|
194 | context->count[0] = context->count[1] = 0;
|
---|
195 | }
|
---|
196 |
|
---|
197 |
|
---|
198 | /* Run your data through this. */
|
---|
199 | void SHA1_Update(SHA_CTX* context, const uint8_t* data, const size_t len)
|
---|
200 | {
|
---|
201 | size_t i, j;
|
---|
202 |
|
---|
203 | #ifdef VERBOSE
|
---|
204 | SHAPrintContext(context, "before");
|
---|
205 | #endif
|
---|
206 |
|
---|
207 | j = (context->count[0] >> 3) & 63;
|
---|
208 | if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++;
|
---|
209 | context->count[1] += (len >> 29);
|
---|
210 | if ((j + len) > 63) {
|
---|
211 | memcpy(&context->buffer[j], data, (i = 64-j));
|
---|
212 | SHA1_Transform(context->state, context->buffer);
|
---|
213 | for ( ; i + 63 < len; i += 64) {
|
---|
214 | SHA1_Transform(context->state, data + i);
|
---|
215 | }
|
---|
216 | j = 0;
|
---|
217 | }
|
---|
218 | else i = 0;
|
---|
219 | memcpy(&context->buffer[j], &data[i], len - i);
|
---|
220 |
|
---|
221 | #ifdef VERBOSE
|
---|
222 | SHAPrintContext(context, "after ");
|
---|
223 | #endif
|
---|
224 | }
|
---|
225 |
|
---|
226 |
|
---|
227 | /* Add padding and return the message digest. */
|
---|
228 | void SHA1_Final(uint8_t digest[SHA_DIGEST_LENGTH], SHA_CTX* context)
|
---|
229 | {
|
---|
230 | uint32_t i;
|
---|
231 | uint8_t finalcount[8];
|
---|
232 |
|
---|
233 | for (i = 0; i < 8; i++) {
|
---|
234 | finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
|
---|
235 | >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
|
---|
236 | }
|
---|
237 | SHA1_Update(context, (uint8_t *)"\200", 1);
|
---|
238 | while ((context->count[0] & 504) != 448) {
|
---|
239 | SHA1_Update(context, (uint8_t *)"\0", 1);
|
---|
240 | }
|
---|
241 | SHA1_Update(context, finalcount, 8); /* Should cause a SHA1_Transform() */
|
---|
242 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
|
---|
243 | digest[i] = (uint8_t)
|
---|
244 | ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
|
---|
245 | }
|
---|
246 |
|
---|
247 | /* Wipe variables */
|
---|
248 | i = 0;
|
---|
249 | memset(context->buffer, 0, 64);
|
---|
250 | memset(context->state, 0, 20);
|
---|
251 | memset(context->count, 0, 8);
|
---|
252 | memset(finalcount, 0, 8); /* SWR */
|
---|
253 |
|
---|
254 | #ifdef SHA1HANDSOFF /* make SHA1Transform overwrite its own static vars */
|
---|
255 | SHA1_Transform(context->state, context->buffer);
|
---|
256 | #endif
|
---|
257 | }
|
---|